puppet-accounts
puppet-accounts copied to clipboard
deric
added forcelocal option
Adding the forcelocal option so the OS doesn't try to update LDAP when making user or group changes. The resource collector was added to the init.pp manifest so when creating local accounts, the group is created first.
Darn. I see the circular dependency. The use case I'm trying to solve is when there is a group in LDAP and you're trying to create that same group locally. Without the forcelocal option applied, the user gets created, knows the group exists in LDAP, and stops. Then the group class kicks in, sees the group isn't local and tries to do a groupmod which fails.
Using forcelocal fixes that problem but when using manage_group: false for the user, the group has to be created first otherwise the user creation fails.
I'm stuck. This works for my use case where I'm trying to create a local version of a single LDAP group. I see in gpasswd it's trying to create the group and add the user in one shot however at this point the user doesn't exist. When the user does get created it gets added to the correct group.
Warning: Modifying bolt => Execution of '/usr/bin/gpasswd -a bolt bolt' returned 3: gpasswd: user 'bolt' does not exist
Notice: /Stage[main]/Accounts/Accounts::Group[bolt]/Group[bolt]/ensure: created
Notice: /Stage[main]/Accounts/Accounts::User[bolt]/User[bolt]/ensure: created
Here's my hiera
accounts::groups:
bolt:
gid: 10572
forcelocal: true
accounts::users:
bolt:
home: '/home/bolt'
uid: 10572
purge_ssh_keys: true
manage_ssh_dir: true
forcelocal: true
manage_group: false
groups:
- 'bolt'